Lucene search
This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2013-0612.NASLHistoryJul 12, 2013 - 12:00 a.m.
Oracle Linux 6 : ruby (ELSA-2013-0612)
2013-07-1200:00:00
This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
From Red Hat Security Advisory 2013:0612 :
Updated ruby packages that fix two security issues are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks.
It was discovered that Ruby’s REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially crafted XML content, which will result in REXML consuming large amounts of system memory. (CVE-2013-1821)
It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)
The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.
All users of Ruby are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2013:0612 and
# Oracle Linux Security Advisory ELSA-2013-0612 respectively.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(68782);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2012-4481", "CVE-2013-1821");
script_bugtraq_id(55813, 58141);
script_xref(name:"RHSA", value:"2013:0612");
script_name(english:"Oracle Linux 6 : ruby (ELSA-2013-0612)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Oracle Linux host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"From Red Hat Security Advisory 2013:0612 :
Updated ruby packages that fix two security issues are now available
for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
Ruby is an extensible, interpreted, object-oriented, scripting
language. It has features to process text files and to do system
management tasks.
It was discovered that Ruby's REXML library did not properly restrict
XML entity expansion. An attacker could use this flaw to cause a
denial of service by tricking a Ruby application using REXML to read
text nodes from specially crafted XML content, which will result in
REXML consuming large amounts of system memory. (CVE-2013-1821)
It was found that the RHSA-2011:0910 update did not correctly fix the
CVE-2011-1005 issue, a flaw in the method for translating an exception
message into a string in the Exception class. A remote attacker could
use this flaw to bypass safe level 4 restrictions, allowing untrusted
(tainted) code to modify arbitrary, trusted (untainted) strings, which
safe level 4 restrictions would otherwise prevent. (CVE-2012-4481)
The CVE-2012-4481 issue was discovered by Vit Ondruch of Red Hat.
All users of Ruby are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://oss.oracle.com/pipermail/el-errata/2013-March/003340.html"
);
script_set_attribute(attribute:"solution", value:"Update the affected ruby packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-irb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-rdoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-ri");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ruby-tcltk");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/09");
script_set_attribute(attribute:"patch_publication_date", value:"2013/03/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Oracle Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
flag = 0;
if (rpm_check(release:"EL6", reference:"ruby-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-devel-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-docs-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-irb-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-libs-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-rdoc-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-ri-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-static-1.8.7.352-10.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"ruby-tcltk-1.8.7.352-10.el6_4")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby / ruby-devel / ruby-docs / ruby-irb / ruby-libs / ruby-rdoc / etc");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | ruby | p-cpe:/a:oracle:linux:ruby |
| oracle | linux | ruby-devel | p-cpe:/a:oracle:linux:ruby-devel |
| oracle | linux | ruby-docs | p-cpe:/a:oracle:linux:ruby-docs |
| oracle | linux | ruby-irb | p-cpe:/a:oracle:linux:ruby-irb |
| oracle | linux | ruby-libs | p-cpe:/a:oracle:linux:ruby-libs |
| oracle | linux | ruby-rdoc | p-cpe:/a:oracle:linux:ruby-rdoc |
| oracle | linux | ruby-ri | p-cpe:/a:oracle:linux:ruby-ri |
| oracle | linux | ruby-static | p-cpe:/a:oracle:linux:ruby-static |
| oracle | linux | ruby-tcltk | p-cpe:/a:oracle:linux:ruby-tcltk |
| oracle | linux | 6 | cpe:/o:oracle:linux:6 |
Related
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2013-173)
2015-09-08 00:00:00
RedHat Update for ruby RHSA-2013:0612-01
2013-03-08 00:00:00
RedHat Update for ruby RHSA-2013:0612-01
2013-03-08 00:00:00
nessus
nessus
Amazon Linux AMI : ruby (ALAS-2013-173)
2013-09-04 00:00:00
Scientific Linux Security Update : ruby on SL6.x i386/x86_64 (20130307)
2013-03-08 00:00:00
CentOS 6 : ruby (CESA-2013:0612)
2013-03-10 00:00:00
amazon
amazon
centos
centos
ruby security update
2013-03-09 00:47:26
ruby security update
2013-01-09 20:36:59
ruby security update
2013-03-08 00:25:53
redhat
redhat
(RHSA-2013:0612) Moderate: ruby security update
2013-03-07 00:00:00
(RHSA-2013:0129) Moderate: ruby security and bug fix update
2013-01-08 00:00:00
(RHSA-2013:0611) Moderate: ruby security update
2013-03-07 00:00:00
oraclelinux
oraclelinux
ruby security update
2013-03-07 00:00:00
ruby security update
2013-03-07 00:00:00
ruby security and bug fix update
2013-01-11 00:00:00
ubuntucve
ubuntucve
veracode
veracode
Unauthorized Modification
2019-01-15 08:52:55
Arbitrary Code Execution
2019-05-02 04:45:35
Access Control Bypass
2020-04-10 00:59:04
prion
prion
Design/Logic Flaw
2013-05-02 14:55:00
Design/Logic Flaw
2013-04-09 21:55:00
Design/Logic Flaw
2011-03-02 20:00:00
cve
cve
ubuntu
ubuntu
Ruby vulnerability
2013-03-25 00:00:00
Ruby vulnerabilities
2012-10-23 00:00:00
Ruby vulnerabilities
2012-10-10 00:00:00
github
github
Ruby vulnerable to denial of service
2022-05-17 03:23:26
osv
osv
Ruby vulnerable to denial of service
2022-05-17 03:23:26
ruby1.9.1 - several
2013-08-18 00:00:00
ruby1.8 - several
2013-12-04 00:00:00
securityvulns
securityvulns
Ruby restrictions bypass
2012-10-15 00:00:00
[USN-1603-1] Ruby vulnerabilities
2012-10-15 00:00:00
ruby multiple security vulnerabilities
2011-05-25 00:00:00
rubygems
rubygems
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
2013-02-21 20:00:00
CVE-2011-1005 Ruby: Untrusted codes able to modify arbitrary strings
2011-02-17 21:00:00
Ruby name_err_mesg_to_str Method Safe Level Security Bypass
2012-10-11 20:00:00
gentoo
gentoo
Ruby: Denial of service
2014-12-13 00:00:00
debian
debian
[SECURITY] [DSA 2738-1] ruby1.9.1 security update
2013-08-18 16:58:53
[SECURITY] [DSA 2809-1] ruby1.8 security update
2013-12-04 21:28:11
[SECURITY] [DSA 2809-1] ruby1.8 security update
2013-12-04 21:28:11
slackware
slackware
ruby
2013-03-16 01:11:53
seebug
seebug
Ruby 安全级别限制绕过漏洞(CVE-2012-4466)
2013-04-28 00:00:00
fedora
fedora
[SECURITY] Fedora 13 Update: ruby-1.8.6.420-2.fc13
2011-03-02 01:46:19
[SECURITY] Fedora 16 Update: ruby-1.8.7.358-4.fc16
2012-10-14 03:52:43
Related for ORACLELINUX_ELSA-2013-0612.NASL